Platform
drupal
Component
drupal
Opgelost in
3.1.0
3.1.1
CVE-2026-3527 describes a Missing Authentication vulnerability affecting the Drupal AJAX Dashboard module. This flaw allows attackers to bypass access control security levels, potentially gaining unauthorized access to sensitive data or functionality. The vulnerability impacts versions of the module prior to 3.1.0. A fix is available in version 3.1.0.
The Missing Authentication vulnerability in Drupal AJAX Dashboard allows an attacker to exploit incorrectly configured access control security levels. This means an attacker who can craft a malicious request can potentially access administrative functions or data they should not have access to. The blast radius depends on the specific configuration of the Drupal site and the permissions granted within the AJAX Dashboard module. Successful exploitation could lead to unauthorized modifications of site content, user account manipulation, or even complete site takeover, depending on the attacker's ability to leverage the bypassed access controls.
CVE-2026-3527 was publicly disclosed on 2026-03-26. No public proof-of-concept (POC) code has been released at the time of writing. The EPSS score is currently pending evaluation. It is not listed on the CISA KEV catalog.
Drupal sites utilizing the AJAX Dashboard module, especially those with custom access control configurations or legacy deployments, are at risk. Shared hosting environments where multiple Drupal sites share the same server resources may also be affected if one site is vulnerable.
• drupal: Check the version of the AJAX Dashboard module using drush pm-info ajax_dashboard. Look for versions prior to 3.1.0.
• drupal: Review AJAX Dashboard access control configurations in the Drupal administration interface. Ensure that only authorized users have access to sensitive functions.
• generic web: Monitor access logs for unusual requests targeting AJAX Dashboard endpoints, particularly those originating from unauthorized users.
disclosure
Exploit Status
EPSS
0.04% (13% percentiel)
CVSS-vector
The primary mitigation for CVE-2026-3527 is to upgrade the Drupal AJAX Dashboard module to version 3.1.0 or later. If upgrading is not immediately feasible, review and strictly enforce access control configurations within the AJAX Dashboard module to minimize potential exposure. Ensure that only authorized users have access to sensitive functions. Consider implementing Web Application Firewall (WAF) rules to block suspicious requests targeting the AJAX Dashboard endpoints. After upgrade, confirm the fix by attempting to access restricted AJAX Dashboard functions with a non-administrative user account.
Werk de AJAX Dashboard module bij naar versie 3.1.0 of hoger. Deze versie corrigeert de authenticatie-omissies kwetsbaarheid die het mogelijk maakt om Incorrect Geconfigureerde Toegangscontrole Beveiligingsniveaus uit te buiten.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2026-3527 is a missing authentication vulnerability in Drupal AJAX Dashboard versions prior to 3.1.0, allowing attackers to bypass access controls.
You are affected if your Drupal site uses the AJAX Dashboard module and is running a version earlier than 3.1.0.
Upgrade the Drupal AJAX Dashboard module to version 3.1.0 or later. Review and strengthen access control configurations in the meantime.
There are currently no confirmed reports of active exploitation, but the vulnerability is publicly known.
Refer to the official Drupal security advisory for CVE-2026-3527 on the Drupal website.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je composer.lock-bestand en we vertellen je direct of je getroffen bent.